CVE-2023-33953 - How gRPC HPACK Table Parsing Errors Expose Your API to DoS Attacks

gRPC is a widely used framework for high-performance, language-agnostic Remote Procedure Calls. It sits at the core of many microservice architectures. But if you’re running a gRPC service, a 2023 vulnerability might put your API at risk to Denial of Service (DoS)—and the way it happens is sneakier than you think.

In this long read, we’ll break down CVE-2023-33953, a code flaw in gRPC’s HPACK parser (used in HTTP/2 headers) that can let attackers disconnect servers or hog your CPU and RAM with carefully crafted requests. We’ll use simple language, code snippets, and practical advice, so you know exactly how this affects you and what to do.

What is CVE-2023-33953?

Let’s get technical, but not too technical. HTTP/2 and gRPC both use a thing called HPACK to compress their headers for better performance. The HPACK decoder decompresses those headers while handling incoming gRPC requests.

Here’s what went wrong

CVE-2023-33953 is a set of vulnerabilities in the way gRPC’s HPACK code accounts for how much data is being buffered and parsed, which can be exploited to:

Waste your server’s CPU

The root cause? gRPC’s HPACK parser sometimes lets attackers send headers that look innocent, but actually make your server’s memory and CPU usage explode—or just force a disconnect.

Source/reference:
- CVE-2023-33953 at NIST
- Original gRPC GitHub security advisory

Three Ways Attackers Can Exploit This Vulnerability

gRPC’s HPACK parser had three main problems, now called “attack vectors.” Here’s how they work in practice.

1. Unbounded Memory Buffering: The Four-Gigabyte Header Attack

The HPACK parser was supposed to check header sizes and reject anything suspiciously large. But the size check happened _after_ reading the string! In practice, attackers could send headers requesting to buffer up to 4GB in memory—far more than you’d normally allow for a single header.

Exploit code (simplified Python, assuming raw socket and HPACK knowledge)

import socket
s = socket.create_connection(('target-grpc-server', 50051))
# Build a malicious HTTP/2 HEADERS frame with a huge HPACK string length
huge_header = b"\x00" * (4 * 1024 * 1024 * 1024)  # 4GB of zeroes
# frame building omitted for brevity; send raw data
s.sendall(your_crafted_frame_containing_huge_header)

*Warning: This is illustrative; full frame construction is complex and should be tested only in safe environments.*

2. Infinite Varint -Padding: The Endless Integer Attack

In HPACK, “varints” are variable-length integers, and their encoding lets you add an infinite number of leading zero bytes (by a quirk of the standard). Normally, that wouldn’t cause a problem, but gRPC’s parser wasn’t handling this edge case.

Exploit Steps

- Send a header with a varint field (like a string length), but precede it with thousands or millions of x80 bytes (that’s a “more” indicator in varint encoding)

Exploit code (HPACK varint abuse demo)

# Represent the integer '42' with varint, but lead with a million zeros
varint_zeros = b'\x80' * 100000 + b'\x2A'
# Frame structure left as an exercise; the key is sending excessive x80 bytes.

3. Infinite CONTINUATION Attack: The Fragmentation Exploit

HPACK headers can be split across multiple HTTP/2 frames. gRPC tried to check for excessively large metadata per frame, but attackers could bypass these checks by splitting a single header across many frames.

Exploit code (pseudo)

# Send: HEADERS (fragment 1) -> CONTINUATION (fragment 2) -> CONTINUATION (fragment 3) -> ... 
for i in range(100000):
    s.sendall(craft_continuation_frame(f'a: {i}'))

Why is This Dangerous?

gRPC powers some of the world’s biggest APIs—think Google, Netflix, Docker, and the world of cloud-native microservices. Any service endpoint exposed to the internet could be taken down with a sequence of nasty header frames, with clients able to dial up the memory and CPU used.

Hard to mitigate: The standard server settings won’t help if your code’s logic is flawed 

- Real-world impact: Forced disconnects (crashes), high cloud bills (CPU/memory spikes), cascading failures

The gRPC team moved fast to patch these issues.

- gRPC C++ fixed in v1.56.2 and above
- gRPC-Go, gRPC-Java: Check your client/server’s official release notes and upgrade to the latest secure versions

Monitor server memory and CPU for weird spikes from single IPs

See also:
- gRPC security advisories
- Mitre CVE page

Summary

If you run a gRPC-based service, CVE-2023-33953 means hostile clients can make your system buffer massive amounts of data, waste CPU with never-ending parsing, or just take your API out. It’s easy to exploit with nothing but network access.

The fix? Upgrade your gRPC libraries. The vulnerability makes a strong case for automated dependency management and careful parsing in all layers—not just your app code.

Stay safe, and keep your APIs patched!

*This post is for educational purposes only—do not test on systems you do not own.*

Timeline

Published on: 08/09/2023 13:15:00 UTC
Last modified on: 08/17/2023 14:15:00 UTC